Skip to content

xeol fails to identify php? #522

New issue
New issue
Open
Open
xeol fails to identify php?#522
Labels
bugSomething isn't working
@kosztyua

Description

@kosztyua
kosztyua
opened on Mar 21, 2025

What happened:
Running latest (0.10.8) with current db (2025-03-21 00:00:45.663187 +0000 UTC) against an SBOM (generated with syft as cyclondx-json) that contains generic PHP, but with universal CPE identifier. Xeol does not find this, even though it is in the endoflife.date tables https://github.com/endoflife-date/endoflife.date/blob/master/products/php.md?plain=1#L18

        {
            "bom-ref": "pkg:generic/[email protected]?package-id=ba2d3ee5349f3d9b",
            "cpe": "cpe:2.3:a:php:php:8.2.7:*:*:*:*:*:*:*",
            "name": "php-cli",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "binary-classifier-cataloger"
                },
                {
                    "name": "syft:package:type",
                    "value": "binary"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "binary-signature"
                },
                {
                    "name": "syft:location:0:layerID",
                    "value": "sha256:59fd45b8638204bbb06b0ff009e56fdd5303d91aed77578552677dd03f312fa5"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/usr/local/bin/php"
                }
            ],
            "purl": "pkg:generic/[email protected]",
            "type": "application",
            "version": "8.2.7"
        },
        {
            "bom-ref": "pkg:generic/[email protected]?package-id=9e2275063aa27200",
            "cpe": "cpe:2.3:a:php:php:8.2.7:*:*:*:*:*:*:*",
            "name": "php-fpm",
            "properties": [
                {
                    "name": "syft:package:foundBy",
                    "value": "binary-classifier-cataloger"
                },
                {
                    "name": "syft:package:type",
                    "value": "binary"
                },
                {
                    "name": "syft:package:metadataType",
                    "value": "binary-signature"
                },
                {
                    "name": "syft:location:0:layerID",
                    "value": "sha256:59fd45b8638204bbb06b0ff009e56fdd5303d91aed77578552677dd03f312fa5"
                },
                {
                    "name": "syft:location:0:path",
                    "value": "/usr/local/sbin/php-fpm"
                }
            ],
            "purl": "pkg:generic/[email protected]",
            "type": "application",
            "version": "8.2.7"
        },

What you expected to happen:
I would expect Xeol to identify PHP based on the CPE identifier.

How to reproduce it (as minimally and precisely as possible):
I can share an SBOM if needed

Anything else we need to know?:
This relates probably to my other ticket at #361, but that was handled as maven specific case, but probably this is more generic issue now

I have submitted a PR to endoflife.date to also include the purl identifier to see what happens when xeol database is rebuilt.

Environment:

  • Output of xeol version: 0.10.8
  • OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions